openstack/openstack-ansible-os_keystone
Code Issues Proposed changes
dc207459fe
openstack-ansible-os_keystone/templates/keystone.conf.j2
Kevin Carter 107bed13e3 Enable SSL termination for all services 
This change makes it so that all services are expecting SSL termination
at the load balancer by default. This is more indicative of how a real
world deployment will be setup and is being added such that we can test
a more production like deployment system by default.

The AIO will now terminate SSL in HAProxy using a self-signed cert.

Change-Id: I09a7b9f0f180a79b4f46bb51322f96b1b2715f5b
Re-Implementation-Of: https://review.openstack.org/#/c/277199/9
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2016-03-03 11:02:37 -06:00

171 lines
5.0 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
[DEFAULT]
verbose = {{ verbose }}
debug = {{ debug }}
admin_token = {{ keystone_auth_admin_token }}
{% if keystone_public_endpoint is defined %}
public_endpoint = {{ keystone_public_endpoint }}
{% endif %}
admin_endpoint = {{ keystone_service_adminuri }}
fatal_deprecations = {{ keystone_fatal_deprecations }}
member_role_name = {{ keystone_default_role_name }}
{% if keystone_external_ssl | bool %}
secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
{% endif %}
log_file = keystone.log
log_dir = /var/log/keystone
rpc_backend = {{ keystone_rpc_backend }}
{% if keystone_ceilometer_enabled %}
notification_driver = messagingv2
{% endif %}
{% if 'memcache' in keystone_token_driver and 'fernet' not in keystone_token_provider %}
[memcache]
servers = {{ keystone_memcached_servers }}
max_compare_and_set_retry = {{ keystone_memcached_max_compare_and_set_retry }}
{% endif %}
{% if keystone_cache_backend_argument is defined %}
[cache]
backend = dogpile.cache.memcached
backend_argument = {{ keystone_cache_backend_argument }}
config_prefix = cache.keystone
distributed_lock = True
enabled = true
{% endif %}
[revoke]
caching = true
driver = {{ keystone_revocation_driver }}
expiration_buffer = {{ keystone_revocation_expiration_buffer }}
cache_time = {{ keystone_revocation_cache_time }}
[auth]
{% if keystone_sp is defined %}
methods = {{ keystone_auth_methods }},saml2
saml2 = keystone.auth.plugins.mapped.Mapped
{% else %}
methods = {{ keystone_auth_methods }}
{% endif %}
{% if keystone_database_enabled | bool %}
[database]
connection = {{ keystone_database_connection_string }}
idle_timeout = {{ keystone_database_idle_timeout }}
min_pool_size = {{ keystone_database_min_pool_size }}
max_pool_size = {{ keystone_database_max_pool_size }}
pool_timeout = {{ keystone_database_pool_timeout }}
{% endif %}
[fernet_tokens]
key_repository = {{ keystone_fernet_tokens_key_repository }}
max_active_keys = {{ keystone_fernet_tokens_max_active_keys }}
[identity]
{% if keystone_ldap.Default is not defined %}
driver = sql
{% endif %}
{% if keystone_ldap | length > 0 %}
domain_config_dir = {{ keystone_ldap_domain_config_dir }}
domain_specific_drivers_enabled = True
{% endif %}
[assignment]
driver = {{ keystone_assignment_driver }}
[resource]
cache_time = {{ keystone_resource_cache_time }}
caching = true
driver = {{ keystone_resource_driver }}
[token]
enforce_token_bind = permissive
expiration = {{ keystone_token_expiration }}
caching = true
cache_time = {{ keystone_token_cache_time }}
provider = {{ keystone_token_provider }}
{% if 'fernet' not in keystone_token_provider %}
driver = {{ keystone_token_driver }}
{% endif %}
# We need to /temporarily/ disable catalog caching due to [1], once
# upstream keystone bug [2] is fixed we can remove this [catalog]
# section entirely.
# [1] https://review.openstack.org/#/c/215212/
# [2] https://review.openstack.org/#/c/271536/
[catalog]
caching = false
{% if keystone_idp is defined %}
[saml]
certfile = "{{ keystone_idp.certfile }}"
keyfile = "{{ keystone_idp.keyfile }}"
idp_entity_id = "{{ keystone_idp.idp_entity_id }}"
idp_sso_endpoint = "{{ keystone_idp.idp_sso_endpoint }}"
idp_metadata_path = "{{ keystone_idp.idp_metadata_path }}"
{% if keystone_idp.organization_name is defined %}
idp_organization_name = {{ keystone_idp.organization_name }}
{% endif %}
{% if keystone_idp.organization_display_name is defined %}
idp_organization_display_name = {{ keystone_idp.organization_display_name }}
{% endif %}
{% if keystone_idp.organization_url is defined %}
idp_organization_url = {{ keystone_idp.organization_url }}
{% endif %}
{% if keystone_idp.contact_company is defined %}
idp_contact_company = {{ keystone_idp.contact_company }}
{% endif %}
{% if keystone_idp.contact_name is defined %}
idp_contact_name = {{ keystone_idp.contact_name }}
{% endif %}
{% if keystone_idp.contact_surname is defined %}
idp_contact_surname = {{ keystone_idp.contact_surname }}
{% endif %}
{% if keystone_idp.contact_email is defined %}
idp_contact_email = {{ keystone_idp.contact_email }}
{% endif %}
{% if keystone_idp.contact_telephone is defined %}
idp_contact_telephone = {{ keystone_idp.contact_telephone }}
{% endif %}
{% if keystone_idp.contact_type is defined %}
idp_contact_type = {{ keystone_idp.contact_type }}
{% endif %}
{% endif %}
[eventlet_server]
admin_bind_host = {{ keystone_bind_address }}
admin_port = {{ keystone_admin_port }}
public_port = {{ keystone_service_port }}
{% if keystone_messaging_enabled | bool %}
[oslo_messaging_rabbit]
rabbit_port = {{ keystone_rabbitmq_port }}
rabbit_userid = {{ keystone_rabbitmq_userid }}
rabbit_password = {{ keystone_rabbitmq_password }}
rabbit_virtual_host = {{ keystone_rabbitmq_vhost }}
rabbit_hosts = {{ keystone_rabbitmq_servers }}
rabbit_use_ssl = {{ keystone_rabbitmq_use_ssl }}
{% endif %}
{% if keystone_sp is defined %}
[federation]
remote_id_attribute = Shib-Identity-Provider
{% if keystone_sp.trusted_dashboard_list is defined %}
{% for item in keystone_sp.trusted_dashboard_list %}
trusted_dashboard = {{ item }}
{% endfor %}
{% endif %}
{% endif %}
View Git Blame Copy Permalink